History

14 May 2017

359,000 computers infected, dozens of nations affected world-wide! A worm exploiting a Windows OS vulnerability that looks to the network for more computers to infect! This is the most pernicious, evil, dangerous attack, ever.

Wait, what? WannaCry isn’t unprecedented! Why would any professional in the field think so? I’m talking about Code Red, and it happened in July, 2001.

Since then dozens, perhaps hundreds of Best Common Practice documents (several of which I’ve personally worked on) have been tireless written, published, and evangelized, apparently to no good effect. Hundreds of thousands, perhaps millions of viruses and worms have come and gone.

Criminal charges should be considered: Anyone who administers a system that touches critical infrastructure, and whose computers under their care were made to Cry, if people suffered, or died, as is very much the possibility for the NHS patients in the UK, should be charged with negligence. Whatever ransom was paid should be taken from any termination funds they receive, and six weeks pay deducted, since they clearly were not doing their job for at least that long.

Harsh? Not really. The facts speak for themselves. A patch was available at least six weeks prior (and yesterday, was even made available by Microsoft for ‘unsupported’ platforms such as Windows XP), as was the case with Code Red.

One representative from a medical association said guilelessly, in one of the many articles I’ve read since Friday ‘we are very slow to update our computers’. This from someone with a medical degree. Yeah, thanks for the confirmation, pal.

If someone gets arrested and charged, and by someone, I mean systems administrators, ‘CSOs’ and anyone else in line to protect systems who abjectly failed this time, a lot. WannaCry infections to critical infrastructure are an inexcusable professional lapse. Or, we could just do all of this again, next time, and people may die.

Afterthought: My organization, CAUCE.org recently turned 20 years old. When it started, we didn’t believe things could get this bad, but it wasn’t too soon after that it became apparent. I issued dire warnings about botnets in 2001 to the DHS, I made public pronouncements to these ends in 2005 (greeted by rolled eyes from an RCMP staff sergeant). I may have been a little too prescient for my own good at the time, but can anyone really say, in this day and age, that lives are at stake, and we are counting on those responsible for data safety to at least do the bare minimum? I await your comments, below.

01 July 2014

We (Chris Lewis, John Levine, and myself) founded CAUCE CANADA November 30, 1998, Our dream of a Canadian anti-spam law was realized today, July 01, 2014, some 15 years and seven months later.

The process was arduous, fraught with fits and starts, setbacks and goals achieved, but with consistent hard work and an unwavering belief in the fact that end-users have the fundamental right to choose what messaging imposes itself upon them, we got it done.

23 October 2013

M3AAWG 29th General Meeting, Montreal, Oct. 23, 2013 – One person’s passion, insight and behind-the-scenes resolve has given rise to a new approach to training 21st century “digital detectives” who can better identify cybercrime and protect end-users. Gary Warner has developed the University of Alabama’s Center for Information Assurance and Joint Forensics Research into a multi-dimensional educational program that has successfully collaborated with law enforcement and the industry in fighting real-world email and Internet threats. Recognizing his accomplishments, the Messaging, Malware and Mobile Anti-Abuse Working Group today presented Warner its annual J.D. Falk Award for innovative work contributing to the good of the online community.

“Cybercrime criminals are well equipped and fairly blatant. Yet there are few academic programs out there teaching cyber-forensics and anti-abuse work. Gary Warner has made it his life’s work to develop a graduate degree in computer forensics that, from the ground up, emphasizes the strategic thinking and experience-based knowledge needed to detect malicious behavior and block threats. By educating a new breed of security expert, his work is also ensuring a safer Internet for future generations,” said Chris Roosenraad, M3AAWG Co-Chairman.

Warner, UAB’s Director of Research in Computer Forensics, takes a pragmatic approach to online security and his commitment to protecting the Internet goes back to the early 1990s when, as a young computer scientist, he began volunteering long hours to fighting viruses because, as he said at the time, “our field is putting users all over the world at risk and it’s my responsibility as a computer guy to make sure the tools we made aren’t harming people.”

Today he tells his students, “If your research isn’t going to help stop crime or help protect consumers and companies from real world cyber threats, it’s not research I want to do in my lab.” As a result, the Center’s reports have been instrumental in analyzing spear phishing campaigns, detecting fraudulent advertisers, and identifying computers covertly sending spam that appeared to be from financial institutions or federal agencies such as the FBI, the IRS and the Social Security Administration. It also contributed to the takedown of Koobface, a computer worm targeting social media users.

Established in 2011, the Center involves professors, students and industry partners from diverse disciplines who collaborate on its stated goal of “making the world a safer place for citizens of the 21st century.” It primarily focuses on computer forensics, classical wet chemistry forensics, image processing and natural language processing forensics. Started as a “broom closet” lab with two students, Warner has overseen its growth into an important industry resource of 40 researchers with five professors who are making concrete contributions to safeguarding end-users.

Among current research projects, the Center is looking at malicious voice- and video-over-Internet (VoIP) malware that can access confidential information on users’ devices. It also is researching malware that can be triggered by hidden messages – undetectable to humans – in music, videos or light from a TV.

Graduates of the program are now part of cyber investigation teams identifying and combating bots, DDoS attacks and other threats at government law enforcement agencies such as the FBI, the CIA and the U.S. State Department. The industry’s largest Internet firms and financial institutions have hired its students. Warner has also co-founded the anti-phishing and cyber-intelligence start-up Malcovery Security based on the Center’s pioneering research.

The J.D. Falk Award is named after a founding member of M3AAWG who was passionate about safeguarding the Internet, end-user security and the value of collaborative work. It recognizes individuals for specific achievements that enhance the Internet experience, protect end-users, and embody his spirit of volunteerism and community building. The 2013 award was presented at the opening session of the M3AAWG 29th General Meeting in Montreal. The four-day meeting, held jointly with the London Action Plan, was attended by 400 security experts from around the globe.

02 May 2011

On May 3rd, 1978, a Digital Equipment Corporation (DEC) marketing representative named Gary Thuerk and a DEC engineer named Carl Gartley sent what many believe to be the first email spam. (The message was dated May 1st, but sent on May 3rd.) It advertised two events in California promoting the new DECsystem-20, the first DEC computer capable of connecting easily to the ARPAnet, predecessor to the internet. The message was addressed (by hand) to every ARPAnet user on the West Coast of the United States that they could find, but ran into an unexpected limit: the mail program would only accept 320 addresses. The rest of the addresses bled into the body of the message, and some recipients forwarded it on.

Scattered around the Internet today (and every May) you'll find various articles heralding the 33rd anniversary of spam, counting the years from Gary's message. They'll remark that spam has been with us a long time, maybe quote a few anti-spam vendor statistics, and say spam isn't going anywhere. But that's just bad research.

The ARPAnet and later the NSFnet were strictly non-commercial, both by contract and by social compact. Anyone who violated that got a stern talking-to, and could lose their access and get fired or expelled. So while there was indeed an occasional misstep, an occasional commercial message, they were very rare.

This changed in the mid-1990s, as the internet first became available to the general public. Commercial use was still hesitant, but increasing rapidly. Some of the early commercial users were entrepreneurs who are now considered geniuses; others were hucksters who are now in jail, or dead.

A common "get rich quick on the internet" scam was to sell books and kits for getting rich quickly on the internet. Often they were simply lists of ISPs by area code, some instructions paraphrased from The Internet for Dummies, and a few templates you could use to create your own web site. But there were also lists of email addresses and email blasting software — the unfortunate and unwelcome beginnings of both the email marketing industry and the ongoing malware epidemic.

Commercial use increased, and we have the internet we do today. Spam increased even faster. But that doesn't mean spam can't be controlled, and reduced. Every month there's another botnet taken down, another major bust by law enforcement — those used to happen maybe once a year, if we were lucky. There has never before in the history of the internet been so much focus on spam, malware, and other so-called "cybercrime" from so many different agencies, mostly (finally!) collaborating with each other. The internet won't return to the old, pre-commercial days, but it will get better.

And while it's true that the first bulk unsolicited commercial email was sent in 1978, there are stories of non-commercial mass messaging going back much further — such as the MIT user who transmitted, in 1971, the words "There is no way to peace. Peace is the way." Perhaps we should consider that the first Tweet?

22 December 2010

The ARPA Computer Network is susceptible to security violations for at least
the three following reasons:
(1) Individual sites, used to physical limitations on machine access, have
not yet taken sufficient precautions toward securing their systems
against unauthorized remote use. For example, many people still use
passwords which are easy to guess: their fist names, their initials,
their host name spelled backwards, a string of characters which are
easy to type in sequence (e.g. ZXCVBNM).
(2) The TIP allows access to the ARPANET to a much wider audience than
is thought or intended. TIP phone numbers are posted, like those
scribbled hastily on the walls of phone booths and men's rooms. The
TIP required no user identification before giving service. Thus,
many people, including those who used to spend their time ripping off
Ma Bell, get access to our stockings in a most anonymous way.
(3) There is lingering affection for the challenge of breaking
someone's system. This affection lingers despite the fact that
everyone knows that it's easy to break systems, even easier to
crash them.
All of this would be quite humorous and cause for raucous eye
winking and elbow nudging, if it weren't for the fact that in
recent weeks at least two major serving hosts were crashed
under suspicious circumstances by people who knew what they
were risking; on yet a third system, the system wheel password
was compromised -- by two high school students in Los Angeles
no less.
We suspect that the number of dangerous security violations is
larger than any of us know is growing. You are advised
not to sit "in hope that Saint Nicholas would soon be there".

Sound familiar? Bob Metcalfe wrote that in December of 1973, and it was published as RFC 602. Today, gaining access to the internet is far easier than finding a dial-in number written on a bathroom wall — but the rest is more true than even Bob imagined.

02 December 2010

The most effective early email-borne viruses didn't need botnets. They didn't change your computer settings, or steal your login credentials. And they somehow convinced regular users to help them spread.

The first warnings about the Good Times virus began to appear in November of 1994, and by December the warnings were seen all over as people did what the warning said, and forwarded it to all their friends. There was another outbreak the following March, which quickly mutated to include a reference to a report from the Federal Communications Commission. After return in October, Good Times virus warnings became a part of the landscape which didn't fade away for years.

According to the primary Frequently Asked Questions document about Good Times, warnings were spread within AT&T, CitiBank, NBC, Hughes Aircraft, Microsoft, Texas Instruments, and many other large, technologically savvy companies. It was reported on news radio stations, and FAXed between branch offices.

The Good Times virus was said to spread via email messages with a subject of "Good Times" -- which was also the subject line for many of the warnings. It would erase your hard drive, destroy all your files, fill your ASCII buffer, send copies of itself to every address in your saved mail files, and/or place your computer's processor "in an nth-complexity infinite binary loop."

"Its an opportunistic self-replicating email virus", explained professor Clay Shirky, "which tricks its host into replicating it, sometimes adding as many as 200,000 copies at a go. It works by finding hosts with defective parsing apparatus which prevents them from understanding that a piece of email which says there is an email virus and then asking them to remail the message to all their friends is the virus itself."

Yep. The warning was the virus.

The internet was first becoming available to the wider public in 1994; most university students and faculty had accounts on educational systems, and AOL and other formerly standalone proprietary online services had hooked in. Information services, including what eventually became the World Wide Web, were connecting people as never before.

Some of these people were worried. They knew they didn't understand how email worked, or how computers worked. But they also wanted to help each other -- to learn, to stay safe, and just to share. So they forwarded the warning, and their friends forwarded it, and so forth.

All that the virus needed in order to get sent around the world over and over and over was a whole lot of gullible people who honestly thought they were being helpful.

If a virus's measure of success is how far it spreads, then the Good Times virus warning virus was the most successful virus of its day...and much of what made it so successful in the mid-1990s still holds true today. Just last week, Facebook users posted warnings for each other about a Christmas Tree virus which doesn't exist. Last year, misinformation about swine flu spread unbelievably quickly on Twitter, even with official sources posting hourly. And now, of course, any popular news headline quickly becomes the topic of black hat SEO trying to trick people into visiting malicious web sites. It has never been more important to stay aware, up to date...to confirm every claim, especially before installing new software you find on some unknown web site...to be just a bit more paranoid than really seems necessary.

As the Good Times warnings said: Happy Chanukah everyone, and be careful out there. Could you pass this along to your global mailing list as well?

(This article was originally published on Return Path's Received: Blog; reprinted with permission.)

02 November 2010

Kidnap. Rape. There are no lesser words that can be used to describe what happened to the daughter of an anti-spam investigator in Russia.

His daughter was recently released, according to Joseph Menn’s recent article on Boing Boing, after having been kidnapped from her home five years ago, fed drugs, and made to service men, as a warning to ward off further investigations.

The criminals behind these vicious acts were also responsible for large spamming organization associated with Russian Mob activity.

Note that we say "also."

When someone is mugged, harassed, kidnapped or raped on a sidewalk, we don't call it "sidewalk crime" and call for new laws to regulate sidewalks. It is crime, and those who commit crimes are subject to the full force of the law.

For too long, people have referred to spam in dismissive terms: just hit delete, some say, or let the filters take care of it. Others — most of us, in fact — refer to phishing, which is the first step in theft of real money from real people and institutions, as "cyber crime." It's time for that to stop.

Some of these crimes involve technology. So what? Criminals have used technology before.

Some of these crimes cross borders. So what? Crimes have crossed borders before.

Spam isn't illegal everywhere yet. So what? Spam 2.0 (spam, malware & spyware) is the leading edge of far worse activities, often things that have been illegal as long as we've had laws.

It is high time that governments and law enforcement stop thinking of computer crime as that perpetrated by teenagers in their parent’s basement. It is the Russian Mob and other organized criminals that are doing this.

While we are at it, we should mention ‘cyber-warfare’, something too often conflated with cyber-crime. Cyber-crime is not "cyber-warfare.” There may be state or terrorist agencies copying the tactics and methods of these criminals, but that does not mean that the criminals must be left alone until new cyber-warfare agencies have been created and funded.

"Why aren't we seeing the investment and prioritization being made in law enforcement, first? Why is all the publicity, funding and prioritization being given to the military - with efforts such as the build-up of the military cyber command - when so much of the clear and present threat is from the criminal element and not from other nation-states?"

Just so, Prof. Spafford!

As we have said repeatedly on this site, these are criminal gangs who have found an incredible loophole in the justice systems of the world: they can rob banks and people, with little chance of getting caught, let alone going to jail. This is not because they're doing things that aren't illegal; they've just found a new way to hide.

David Black, manager of the RCMP's cyber infrastructure protection section recently said to CAUCE Executive Director Neil Schwartzman “we don’t do spam”. OK, but why not? Spam is no longer, and hasn’t been for some time, about simply sending unwanted emails. Spam is now a delivery mechanism for malware, which in turn threatens infrastructure, and facilitates theft. We have seen precious few cases filed using existing Federal computer intrusions laws in Canada, and none, to our knowledge have been filed under the renovated anti-phishing law, S-4, passed in September 2009.

Governments and law enforcement agencies need to begin to treat online theft with the same seriousness as they do other physical crimes. It is time to bring this up to the diplomatic level, or seriously consider refusing packets from places that treat the Internet, and innocent victims, as their personal ATM.

CAUCE is made up of people who care about email qua email. We understand it, we love it. It is still the ‘killer app’. Furthermore, we understand why some folks in law enforcement or the judiciary might ask, "When there are people stealing millions or hurting people in the commission of violent crimes, why are you wasting our time with 'just' a spam case?” Here's why:

Most spam is sent by organized criminal gangs, just like other organized crime.

Those gangs intentionally operate trans-nationally, in an effort to frustrate investigation and prosecution.

Money laundering of the proceeds from spam is routine, and that money directly fuels official corruption and other social ills.

Some spammers are actually selling something. Their favorite product? Counterfeit pharmaceuticals. In many cases these may be scheduled controlled substances, sold in bulk, and available to minors; in other cases, critical medicines needed to properly treat cancer and other serious illnesses may be counterfeit placebos, with potentially tragic results.

Spammers operate by compromising tens or hundreds of thousands of end-user PCs, violating those users' privacy and sometimes steal sensitive personally identifiable information such as individuals’ and even corporate access to financial services at the same time they're using their systems to spam. Computer ‘phishing’ is no less a crime than bank robbery, home invasion, and mugging.

Cyber criminals consider cyber crime to be a virtually riskless offense; they're unlikely to be identified; if identified, they're unlikely to be investigated; if investigated, they're unlikely to be charged and prosecuted; if prosecuted, they're unlikely to be convicted; if convicted, they're unlikely to do jail time.

The courts need to make it clear that that's wrong in all respects. If you commit cyber crimes, you will be identified, investigated, charged, prosecuted, convicted and sentenced to serious time and we will seize your assets.

This will not happen so long as crime, which involves the Internet, is dismissed as "cybercrime" and either scoffed at, or used to justify ever-increasing cyberwarfare budgets

This isn't just email. This isn't a war. This isn't "cyber.” This is crime. It is time to call a cop, and expect a response.

Actually, that part's pretty simple. The .LY domain belongs to Libya, so their laws apply -- even if the registrant or their web site isn't physically in Libya. The company which manages registrations in .LY decided to permit registrations by companies or people outside of Libya, but they still own it.

Originally there were only a handful of "global" or "generic" top-level domains, known as gTLDs, available to anyone in any country: .COM, .NET, .ORG, and .EDU. .GOV and .MIL were effectively only for the United States. .INT, reserved for organizations created by international treaty, is rarely seen.

Each country has their own ccTLD, based on the ISO two-letter country codes. Some are fairly obvious to English speakers: .US for the United States, .CA for Canada, .UK for the United Kingdom, .AU for Australia. Some seem a bit more obscure, due to differences in language or conflicts with other names: .TD for Chad, .RS for Serbia, or .ZA for South Africa.

Each ccTLD authority sets their own rules for who is allowed to register one of their names. Island nations Tongo (.TO) and Tuvalu (.TV) have reportedly made some pretty good money by permitting non-local registrations. After splitting from Yugoslavia (.YU) and Serbia, Montenegro opened .ME in hopes of attracting English speakers -- and sold over 320,000 domains between 2008 and 2010. Colombia's .CO, which attracts typos of .COM, sold half a million in two months -- mostly to registrants in the United States.

But none of this addresses the real question: what do actual users care about?

In March the most popular search term on Google, Yahoo!, and Bing was "facebook". Other top searches across all three, according to Experian Hitwise, included youtube, myspace, craigslist, ebay, and gmail. Perhaps ironically, "google" was the second most popular search on Microsoft's Bing.

Does it matter whether Facebook is facebook.com, fb.me, facebook.ca, facebook.co.za, et cetera? Well, unfortunately, it kind of does. If a bad guy registered facebook.ql (which is just an example, there's no .QL ccTLD), then they could put up a site that mimics the real Facebook, and send phishing email which might have a better chance of fooling users than the usual nonsense domains. And, of course, there are the usual trademark issues. So, Facebook has had to register in all of these.

To put it another way: big brands are effectively required to register their trademark in every gTLD and ccTLD they can, because most users are completely unaware of gTLDs and ccTLDs. If the TLDs effectively separated different types of organizations, as was originally imagined, then this wouldn't be necessary.

There's also another type of user to consider. Violet Blue chose to register vb.ly because she wanted something short and easy to remember, and was following the trend set by bit.ly, jl.ly, et cetera. Unlike .ME or .TV the value wasn't that vb.ly has any particular meaning, but rather that it's short and appeared to be easy. URL shorteners are for the people who don't type "facebook" into google, and do want to share links to specific things. Of course, if web designers considered the length of URLs when designing their sites, this wouldn't be as much of an issue.

ICANN, the quasi-non-governmental organization which oversees these top-level domains, has introduced quite a few other gTLDs in recent years. Many of these are restricted in some fashion, which helps to reduce the land rush; for example, .MUSEUM is only for museums, though of course most museums already have domains under .ORG, .EDU, .GOV, or an appropriate ccTLD.

Only two of the newer gTLDs are unrestricted: .INFO, and (for most purposes), .BIZ. When was the last time you saw a company put their primary site in .BIZ or .INFO, rather than having it be a redirect to their site in .COM? Oh hey, it was Return Path -- and we switched a few years ago to returnpath.net, because most of our neighbors in .BIZ were spammers or phishers. .INFO has the same spam problem; some spam filtering software sees the mere presence of .BIZ or .INFO as increasing the likelihood that a message is spam.

Ignoring these concerns, ICANN has decided to open up the namespace further and permit pretty much anyone with $185,000 and a bunch of nameservers to register their own gTLD -- likely before next March. It's unclear if anyone actually wants this except the potential new gTLD registries, who stand to earn a lot of money over trademark concerns. For example, the .CO registry initially offered a "Specially Protected Marks" program, permitting companies to register their trademarks ahead of the general populace. .CO claims "100% Participation by Leading Brands", and any new unrestricted gTLDs can surely expect the same.

Even if a company creates a new gTLD for their own use, such as .IBM, they'll still need to keep ibm.com, lotus.com, et cetera -- everything they have now, plus the same trademarks in every other gTLD.

Once all that dust has settled, and the registries and ICANN have made their money, we'll still be left with an ever-greater threat of phishing or other brand hijacking. Most end users will still expect to find their friends by typing "facebook" into google, while a smaller number will still want shorter URLs.

If domain names are for end users -- if, indeed, the internet is for end users -- then why do we need more TLDs?